Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
13-08-2024 04:01
Static task
static1
Behavioral task
behavioral1
Sample
dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exe
Resource
win10v2004-20240802-en
General
-
Target
dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exe
-
Size
1.8MB
-
MD5
f04b3373ae5c6188c50c1dc9cbb47d5f
-
SHA1
ffcfbcbb82ad2785140e8c9e15437caae75f5e51
-
SHA256
dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c
-
SHA512
61e76dafff39ee952d66c606b890f771d1a88a5e5fa4ab812f465936da5470bbde90f5f408dafbd75d419622bd170a1d9fe4661df5b545d0e546f80609bf95b7
-
SSDEEP
24576:1rvlKtCVXdWSpG3nr7m+989JSDLR1c0x9lL/ligQkQ247o0o7GW4ZnBG1ToYVnHL:1rdXkSUxGvDm9lxjTV0o7io1tTWgYCb
Malware Config
Extracted
amadey
4.41
0657d1
http://185.215.113.19
-
install_dir
0d8f5eb8a7
-
install_file
explorti.exe
-
strings_key
6c55a5f34bb433fbd933a168577b1838
-
url_paths
/Vi9leo/index.php
Extracted
stealc
nord
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Extracted
stealc
kora
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
explorti.exeexplorti.exedd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorti.exeexplorti.exeexplorti.exedd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exeexplorti.exeRegAsm.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation explorti.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation RegAsm.exe -
Executes dropped EXE 6 IoCs
Processes:
explorti.exe4540b9f84e.exe9706fcd865.exed4f7c40209.exeexplorti.exeexplorti.exepid process 2204 explorti.exe 2604 4540b9f84e.exe 3960 9706fcd865.exe 2936 d4f7c40209.exe 3044 explorti.exe 1104 explorti.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exe Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine explorti.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorti.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4540b9f84e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\4540b9f84e.exe" explorti.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/696-44-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/696-46-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/696-48-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exeexplorti.exeexplorti.exeexplorti.exepid process 1156 dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exe 2204 explorti.exe 3044 explorti.exe 1104 explorti.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
4540b9f84e.exe9706fcd865.exedescription pid process target process PID 2604 set thread context of 696 2604 4540b9f84e.exe RegAsm.exe PID 3960 set thread context of 4784 3960 9706fcd865.exe RegAsm.exe -
Drops file in Windows directory 1 IoCs
Processes:
dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exedescription ioc process File created C:\Windows\Tasks\explorti.job dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
RegAsm.exe9706fcd865.exeRegAsm.exed4f7c40209.exedd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exeexplorti.exe4540b9f84e.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9706fcd865.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d4f7c40209.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4540b9f84e.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exeexplorti.exeexplorti.exeexplorti.exepid process 1156 dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exe 1156 dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exe 2204 explorti.exe 2204 explorti.exe 3044 explorti.exe 3044 explorti.exe 1104 explorti.exe 1104 explorti.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 3384 firefox.exe Token: SeDebugPrivilege 3384 firefox.exe Token: SeDebugPrivilege 3384 firefox.exe Token: SeDebugPrivilege 3384 firefox.exe Token: SeDebugPrivilege 3384 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exeRegAsm.exefirefox.exepid process 1156 dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 3384 firefox.exe 3384 firefox.exe 3384 firefox.exe 3384 firefox.exe 3384 firefox.exe 3384 firefox.exe 3384 firefox.exe 3384 firefox.exe 3384 firefox.exe 3384 firefox.exe 3384 firefox.exe 3384 firefox.exe 3384 firefox.exe 3384 firefox.exe 3384 firefox.exe 3384 firefox.exe 3384 firefox.exe 3384 firefox.exe 3384 firefox.exe 3384 firefox.exe 3384 firefox.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
RegAsm.exefirefox.exepid process 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 3384 firefox.exe 3384 firefox.exe 3384 firefox.exe 3384 firefox.exe 3384 firefox.exe 3384 firefox.exe 3384 firefox.exe 3384 firefox.exe 3384 firefox.exe 3384 firefox.exe 3384 firefox.exe 3384 firefox.exe 3384 firefox.exe 3384 firefox.exe 3384 firefox.exe 3384 firefox.exe 3384 firefox.exe 3384 firefox.exe 3384 firefox.exe 3384 firefox.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe 696 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
firefox.exepid process 3384 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exeexplorti.exe4540b9f84e.exe9706fcd865.exeRegAsm.exefirefox.exefirefox.exedescription pid process target process PID 1156 wrote to memory of 2204 1156 dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exe explorti.exe PID 1156 wrote to memory of 2204 1156 dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exe explorti.exe PID 1156 wrote to memory of 2204 1156 dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exe explorti.exe PID 2204 wrote to memory of 2604 2204 explorti.exe 4540b9f84e.exe PID 2204 wrote to memory of 2604 2204 explorti.exe 4540b9f84e.exe PID 2204 wrote to memory of 2604 2204 explorti.exe 4540b9f84e.exe PID 2604 wrote to memory of 3176 2604 4540b9f84e.exe RegAsm.exe PID 2604 wrote to memory of 3176 2604 4540b9f84e.exe RegAsm.exe PID 2604 wrote to memory of 3176 2604 4540b9f84e.exe RegAsm.exe PID 2604 wrote to memory of 540 2604 4540b9f84e.exe RegAsm.exe PID 2604 wrote to memory of 540 2604 4540b9f84e.exe RegAsm.exe PID 2604 wrote to memory of 540 2604 4540b9f84e.exe RegAsm.exe PID 2604 wrote to memory of 696 2604 4540b9f84e.exe RegAsm.exe PID 2604 wrote to memory of 696 2604 4540b9f84e.exe RegAsm.exe PID 2604 wrote to memory of 696 2604 4540b9f84e.exe RegAsm.exe PID 2604 wrote to memory of 696 2604 4540b9f84e.exe RegAsm.exe PID 2604 wrote to memory of 696 2604 4540b9f84e.exe RegAsm.exe PID 2604 wrote to memory of 696 2604 4540b9f84e.exe RegAsm.exe PID 2604 wrote to memory of 696 2604 4540b9f84e.exe RegAsm.exe PID 2604 wrote to memory of 696 2604 4540b9f84e.exe RegAsm.exe PID 2604 wrote to memory of 696 2604 4540b9f84e.exe RegAsm.exe PID 2604 wrote to memory of 696 2604 4540b9f84e.exe RegAsm.exe PID 2204 wrote to memory of 3960 2204 explorti.exe 9706fcd865.exe PID 2204 wrote to memory of 3960 2204 explorti.exe 9706fcd865.exe PID 2204 wrote to memory of 3960 2204 explorti.exe 9706fcd865.exe PID 3960 wrote to memory of 4784 3960 9706fcd865.exe RegAsm.exe PID 3960 wrote to memory of 4784 3960 9706fcd865.exe RegAsm.exe PID 3960 wrote to memory of 4784 3960 9706fcd865.exe RegAsm.exe PID 3960 wrote to memory of 4784 3960 9706fcd865.exe RegAsm.exe PID 3960 wrote to memory of 4784 3960 9706fcd865.exe RegAsm.exe PID 3960 wrote to memory of 4784 3960 9706fcd865.exe RegAsm.exe PID 3960 wrote to memory of 4784 3960 9706fcd865.exe RegAsm.exe PID 3960 wrote to memory of 4784 3960 9706fcd865.exe RegAsm.exe PID 3960 wrote to memory of 4784 3960 9706fcd865.exe RegAsm.exe PID 696 wrote to memory of 4920 696 RegAsm.exe firefox.exe PID 696 wrote to memory of 4920 696 RegAsm.exe firefox.exe PID 4920 wrote to memory of 3384 4920 firefox.exe firefox.exe PID 4920 wrote to memory of 3384 4920 firefox.exe firefox.exe PID 4920 wrote to memory of 3384 4920 firefox.exe firefox.exe PID 4920 wrote to memory of 3384 4920 firefox.exe firefox.exe PID 4920 wrote to memory of 3384 4920 firefox.exe firefox.exe PID 4920 wrote to memory of 3384 4920 firefox.exe firefox.exe PID 4920 wrote to memory of 3384 4920 firefox.exe firefox.exe PID 4920 wrote to memory of 3384 4920 firefox.exe firefox.exe PID 4920 wrote to memory of 3384 4920 firefox.exe firefox.exe PID 4920 wrote to memory of 3384 4920 firefox.exe firefox.exe PID 4920 wrote to memory of 3384 4920 firefox.exe firefox.exe PID 3384 wrote to memory of 4420 3384 firefox.exe firefox.exe PID 3384 wrote to memory of 4420 3384 firefox.exe firefox.exe PID 3384 wrote to memory of 4420 3384 firefox.exe firefox.exe PID 3384 wrote to memory of 4420 3384 firefox.exe firefox.exe PID 3384 wrote to memory of 4420 3384 firefox.exe firefox.exe PID 3384 wrote to memory of 4420 3384 firefox.exe firefox.exe PID 3384 wrote to memory of 4420 3384 firefox.exe firefox.exe PID 3384 wrote to memory of 4420 3384 firefox.exe firefox.exe PID 3384 wrote to memory of 4420 3384 firefox.exe firefox.exe PID 3384 wrote to memory of 4420 3384 firefox.exe firefox.exe PID 3384 wrote to memory of 4420 3384 firefox.exe firefox.exe PID 3384 wrote to memory of 4420 3384 firefox.exe firefox.exe PID 3384 wrote to memory of 4420 3384 firefox.exe firefox.exe PID 3384 wrote to memory of 4420 3384 firefox.exe firefox.exe PID 3384 wrote to memory of 4420 3384 firefox.exe firefox.exe PID 3384 wrote to memory of 4420 3384 firefox.exe firefox.exe PID 3384 wrote to memory of 4420 3384 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exe"C:\Users\Admin\AppData\Local\Temp\dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Users\Admin\AppData\Local\Temp\1000036001\4540b9f84e.exe"C:\Users\Admin\AppData\Local\Temp\1000036001\4540b9f84e.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:3176
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:540
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password5⤵
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3384 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1984 -parentBuildID 20240401114208 -prefsHandle 1912 -prefMapHandle 1904 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {abb5ad8b-5324-4e8e-91d3-5c728ee4abdd} 3384 "\\.\pipe\gecko-crash-server-pipe.3384" gpu7⤵PID:4420
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2420 -parentBuildID 20240401114208 -prefsHandle 2412 -prefMapHandle 2408 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f56a527-898e-45a0-8ae8-a54bc1e3f469} 3384 "\\.\pipe\gecko-crash-server-pipe.3384" socket7⤵PID:3316
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2740 -childID 1 -isForBrowser -prefsHandle 3032 -prefMapHandle 3152 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f072bf1c-1fc3-40c5-9f46-f2c596f4c637} 3384 "\\.\pipe\gecko-crash-server-pipe.3384" tab7⤵PID:2504
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3688 -childID 2 -isForBrowser -prefsHandle 3684 -prefMapHandle 3680 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c776dfda-d536-4358-b3a2-577b3c1f468a} 3384 "\\.\pipe\gecko-crash-server-pipe.3384" tab7⤵PID:2536
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4296 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4324 -prefMapHandle 4316 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e52317dd-b9b0-4728-b7f6-258238194d56} 3384 "\\.\pipe\gecko-crash-server-pipe.3384" utility7⤵
- Checks processor information in registry
PID:5288 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5388 -childID 3 -isForBrowser -prefsHandle 5380 -prefMapHandle 5376 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {77ae3a8e-8dce-4d8e-9d74-2ff8e23a5f60} 3384 "\\.\pipe\gecko-crash-server-pipe.3384" tab7⤵PID:5900
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5520 -childID 4 -isForBrowser -prefsHandle 5528 -prefMapHandle 5532 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a1b29046-f24c-40f6-99f0-db811578d667} 3384 "\\.\pipe\gecko-crash-server-pipe.3384" tab7⤵PID:5912
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5712 -childID 5 -isForBrowser -prefsHandle 5720 -prefMapHandle 5724 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {533ffc38-daa9-4aba-9b63-66d0d5bb0267} 3384 "\\.\pipe\gecko-crash-server-pipe.3384" tab7⤵PID:5924
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6316 -childID 6 -isForBrowser -prefsHandle 6228 -prefMapHandle 6240 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c69dd901-2177-4d18-b279-6927a168f35d} 3384 "\\.\pipe\gecko-crash-server-pipe.3384" tab7⤵PID:1156
-
C:\Users\Admin\1000037002\9706fcd865.exe"C:\Users\Admin\1000037002\9706fcd865.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:4784 -
C:\Users\Admin\AppData\Local\Temp\1000038001\d4f7c40209.exe"C:\Users\Admin\AppData\Local\Temp\1000038001\d4f7c40209.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2936
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3044
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1104
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD5493ca2c6a90f04fb410bc18dfd958f53
SHA173482091cc88709902cc09aa8b164c9268b6e9cc
SHA256b7fc4aa9feba9ee8c2307ec6d55b9010b9e8d2a50b2949dcd02cb6f6c3f7eece
SHA51241f4a31c9dcda2816e93b7fc259f3546439bc6eedc5e02aef46eb91b960b6132af6c4bd2f6f5c9fe0b19f2083d45ba9620a15ea72a0abdaeabc527831bbc2b82
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5utpapi8.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B
Filesize13KB
MD522b93bb4b5a5ec6fe9aea8c39e0a2c1e
SHA15f326d76769a4f9e6df42bd577e946e381649010
SHA25622a19ed6fa05279ceaf5b1fb022af28597bdb610f89e8aec8389e30b7557a891
SHA51294335961bd2a74da25f515f48cc1aed68939a9473604713f2caabf6b25038cb0e8cb27da2db111d64a28c686f3250d9462a6deed6bc246c7a90f8d9354ade2b6
-
Filesize
1.8MB
MD5f04b3373ae5c6188c50c1dc9cbb47d5f
SHA1ffcfbcbb82ad2785140e8c9e15437caae75f5e51
SHA256dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c
SHA51261e76dafff39ee952d66c606b890f771d1a88a5e5fa4ab812f465936da5470bbde90f5f408dafbd75d419622bd170a1d9fe4661df5b545d0e546f80609bf95b7
-
Filesize
1.2MB
MD50268fe10bef3ec38e53e6a393558b6ce
SHA19ab70efc9284b4a0bb4dd3f816e5070c2c8f6fd0
SHA2564f3605d6a7478c3de5bec04d779793e16c141d0f377f2246d1007f843268c31b
SHA5124357851b65a41c5a3d22ad9b864f163dcaba290bf11d306589dca65cead0ae7d336c732120582bcec1e6b5b9f9f201d5488b75b8966cc9a076bb9d55af1ebbb4
-
Filesize
187KB
MD5278ee1426274818874556aa18fd02e3a
SHA1185a2761330024dec52134df2c8388c461451acb
SHA25637257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA51207ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\AlternateServices.bin
Filesize10KB
MD590fee4e5cda9fea897c27dc3b5656210
SHA14a73dbf8db7a98e1a7662ca64d2774e160e0e75a
SHA256b561b785ef42c6139653c801c5e03ebd32ec69e7d15de6c44407cbccbc1e7451
SHA51249c10374d7c4513513c58947ced46584fe5a77903e36e0e3dea3c971eb86061cdff191dd8e9bc94de38c60c27f5fadc43ace1d1d4491b89c4b52ebda36716459
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\AlternateServices.bin
Filesize16KB
MD59f2a47d2c847e2d3d3c5a0ea93f4c5bf
SHA18f5258b5794df32f72fd17483ac9ac5dcfe5dbfe
SHA25643900d218982984fbef6c6eab04430979ce8cc0c8402a9656d02e5851ca8c227
SHA512dded8eef9be8cb88618f240c3f9e507814d298af6fb4aced6f4d61835e7e812116babfaf1a6bef689176024c0bae4365255654ec9cf0235e0f60a3ea6d8b7bea
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD52f2869fba349258385c2f20920225f8c
SHA1d464d1a31ef64140d7006fce357584205edf4c28
SHA2561384f3a7543c4cd4b4072bc42c79a46c7d080dbf7a4b1031c3de8859865c6782
SHA512be75d202ecc52a1b6422ae6583aed4f33961f47bacc0bfa05701b046ad5eb1793698027e195040c361c7808a0a3686813a39f41dc059c9feb3fbc3e090c799ac
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\db\data.safe.tmp
Filesize16KB
MD590f238a24f5e2dbbc0b8d7effa273273
SHA15ce9d162201f079af2b9e6f610f2bdefed9a8aec
SHA2568b1440ab28efec731898f8ef3a89f7b24b47194fbfbb33baa5fbe57e42a88e40
SHA512acc8d417f9e7f23d134f4400511bb78d2910158cb1d184a4d31ea452986e63e8a51b9fcc55e93fd1134d248dcea288fb68f297e99ae715920c1e22fc3788048d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\pending_pings\606bed6b-78db-4e97-b48b-db2e16088cfb
Filesize26KB
MD5be75f6bf8e72c756ed113d58bf134153
SHA1a83af50bcd9be46942599773ee4def5ba79e78fc
SHA2567b5c53981ab0e23d499d0c32e6a5cdaff2606d58d92a5d54d1b45bdfcb2654f6
SHA5127c256adfb67b29637752d0f3f3cca0cd185de516994e46862ea022d8d4d30ffba57f0bc90212b9172bb639755ef8bba3e605165ae74a10d8d7d760c2e23aad92
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\pending_pings\92e2d086-9eb1-46eb-b2ed-1d08f873b89e
Filesize982B
MD5ebcb01d8996c2016440c2a67b8a1c2f9
SHA179b8abe81bea73dd6170c14ad20fe926c497c56d
SHA2569e33a9f743436f991af31b11fb9454f1727fb8a1aa9140b0948fff5448d1f6e8
SHA512d261a1496406e63b5b16fe33476fb262225d170e63ad8f05e0eb3abf2c056859b129ef96463cb6bdcf5b597a79d3355957bcb84608d619ad7f07d6ef55859b6a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\pending_pings\a67532c0-bcc0-47ac-b4f5-e1299904c335
Filesize671B
MD5710a9ed7a71d386fbe4da395811d997e
SHA14bc0c2cf577776b98a2e8b81337e56658cae63f3
SHA2568c20ec51dc01a7acb6acca7ddc25bb9be8646403247b640ec2f5979bfd07d7c6
SHA5123d19ee3b50d9217ab9b3396f478b9833e1ff7c0c8eb7064ce3c9ef0442f24445b9bad5a5fb4a79d51e660f0b7d12a9397677c9278fd5ac3808ac153588429e45
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
12KB
MD58ab61edb804fb7c7489d0dfb8acf4d52
SHA18e95556894ffedc924e17cb38c3afd6fc11ebe8e
SHA256e3b12671878d0a1b26fd687cc85a15bbd897e3d0e0c5b1ff43ae62ec39c0c9eb
SHA5128f1eca52286ec9fbab5aa049389f6d7d640bb50e3b7973eef83a41be81f1e7aa85662dfafd565a97c622b304e9c5f0e1816d4ca1be51315a6cd02ebc8a2fefba
-
Filesize
16KB
MD5aeabbc822505332d02b049b9d1c70b05
SHA14e357d673e5facf2e38999b50c6013f024814905
SHA256bc23e3c8f614b27d585230833387296229411a8663ca62c2b84645bc03ef56b8
SHA5124dd616c786845b5c108de117d005ecf76231c87b21191b9017799310fe7d50f104af42ae2a51a6679592245b7726e83264890ac86cf4b3796020769b53625963
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\sessionstore-backups\recovery.baklz4
Filesize5KB
MD5db9114a1e8a5d62ee85db281bd5f44fc
SHA18612f03d39fc02a5faab263bb900d7bf46b72734
SHA256b61d59ce353f589f4d97c12f1b73e24dfe1c55449ff6af6bdd172ff6548041d8
SHA512cb104703957571e34311c3557478a1ae96b97e4ee8c2765c3175745629d50ba3611f446ec648bf968d242fc02cb092823c45f11d0d713fc38a386de3f134e88e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.4MB
MD597fee50395e793d1395391596f6ae518
SHA1e32a9386624634689eb0dabf6bc547e20eb77933
SHA2563aff9ccea4d38404fef73a573cf93911e5915ac60fe857a74956f088edfce530
SHA5129431dcdf6b6262a418143dc2dfebe559c4eb1f3ea5774e96ebf3a92d2db97d7c3c05baf20edddab96cfbb07f6869a889dc050dff87fe453b5d21735538db58b2